HPE Community
Operating System - HP-UX
1833706 Members
2445 Online
110063 Solutions
New Discussion

restricting su

 
SOLVED
Go to solution
Rainer von Bongartz
Honored Contributor

‎09-18-2003 01:42 AM

‎09-18-2003 01:42 AM

restricting su

Is there any way to restrict the su command .

I want to allow
su - user1
but
su - user2
should be denied.

Regards
Rainer
He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...
0 Kudos
Reply
8 REPLIES 8
Stefan Farrelly
Honored Contributor

‎09-18-2003 01:50 AM

‎09-18-2003 01:50 AM

Re: restricting su

You will have to replace the su binary with a script which checks for who you are trying to su to then allows or disallows it.
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
Thierry Poels_1
Honored Contributor

‎09-18-2003 02:06 AM

‎09-18-2003 02:06 AM

Re: restricting su

Hi,

for non-root users this is easy : keep user2's password secret ;-)

for root : you could test in user2's .profile on 'who am i' which still reflects the original user.
But 'su user2' (without the minus) will pass this again :(

good luck,
Thierry.
All unix flavours are exactly the same . . . . . . . . . . for end users anyway.
0 Kudos
Reply
David_246
Trusted Contributor

‎09-18-2003 02:47 AM

‎09-18-2003 02:47 AM

Re: restricting su

Sorry, I don't agree.
I think there is only one way (when not using an external produkt) to solve this. Current permissions are :
-r-sr-xr-x 1 root root 24576 Aug 6 1998 /usr/bin/su

change them to :
-r-sr-x--- 1 root sugroup 24576 Aug 6 1998 /usr/bin/su

Now you create a sugroup in the /etc/group. Make the members that are allowed to examine su member of the group sugroup.

Regs David
@yourservice
0 Kudos
Reply
Rainer von Bongartz
Honored Contributor

‎09-18-2003 03:16 AM

‎09-18-2003 03:16 AM

Re: restricting su

Hi guys,

I do not want to restrict the use of su (any user is allowed to use it) but I need to restrict the target user called by su. There is a list of users which are only allowed to do a regular login, the use of su to gain this users priviliges is not allowed. (Of course this is a demand from our audit people so let's not debate about the sense of this demand)

Regards
Rainer


He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...
0 Kudos
Reply
Stefan Farrelly
Honored Contributor

‎09-18-2003 04:09 AM

‎09-18-2003 04:09 AM

Re: restricting su

Ive not heard of auditing requiring this before. Ive heard many times of them requiring an audit trail of who uses the su command. This is easier as all you need to do is switch on accounting and select the su system call so you can log processes which use it. Then, just in case, you can backtrack and see who used su in the event of a problem.
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
Brian Bergstrand
Honored Contributor

‎09-18-2003 04:31 AM

‎09-18-2003 04:31 AM

Solution

Re: restricting su

There is a more secure way to do this than a script -- if you can install sudo.

First, disable all access to /usr/bin/su

# chmod go-rwx /usr/bin/su

Then add the following to /etc/sudoers

ALL ALL = NOPASSWD : /usr/bin/su

Then to su, your users run:

sudo su

If does not match the list provided in the sudoers file, then sudo will not allow su to run.

This also has the side benifit of loggin all su activity, including unauthorized attempts.

See the sudoers man page for the specific syntax.

HTH.
Reply
Sergejs Svitnevs
Honored Contributor

‎09-18-2003 04:48 AM

‎09-18-2003 04:48 AM

Re: restricting su

Instead of executing "su", use "sudo".
"sudo" lets you have more control over what users can do as other users.
Or
DON'T give out users passwords and change them immediately when a problem is discovered.

Regards,
Sergejs
0 Kudos
Reply
David_246
Trusted Contributor

‎09-18-2003 04:52 AM

‎09-18-2003 04:52 AM

Re: restricting su

Hi Rainer,

Sorry for the misunderstanding. I do this using "eTrust Access Control" from CA. It works perfect for your question.
Also other sudo tools work great with it. From a standard OS without extra tooling this will not be possible.

Regs David
@yourservice
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.